Retailers need to prepare for Calif. Consumer Privacy Act

California recently enacted the California Consumer Privacy Act (CCPA), effective January 1, 2020, a privacy law unprecedented in the U.S. that grants California residents a broad range of European-like privacy rights. Amendments passed on August 31 and signed into law on September 23 extend the time for the California attorney general (CaAG) to promulgate regulations to July 1, 2020, pushing back enforcement until the earlier of that date or six months from issuance of the regulations, and remove the CaAG’s ability to intervene in private lawsuits. Fortunately for retailers, the CaAG’s recommendation that the CCPA’s limited private right of action be expanded was rejected, and language was even added to clarify the limits of consumer lawsuits.

Retailers need to begin to prepare for the CCPA. To comply with the 12-month look-back for consumer requests as of the law’s effective date, businesses will need to start data mapping and record-keeping of personal information (PI) as of January 1, 2019. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant — $50,000 to $100,000 a year. Since, depending on how long it takes to promulgate the regulations, businesses could get up to a six-month delay in enforcement, a case for waiting to start compliance efforts until the first quarter of 2019 can be made, which may help with budgeting the expense. Further, before the CaAG’s office can seek penalties, it must give the businesses notice and a 30-day opportunity to “cure,” which may provide businesses that are mostly in compliance the ability to potentially avoid enforcement actions if they can quickly remediate ­inadequacies.

Under the CCPA, all Californians (the law governs PI of “consumers,” defined as California residents, so employee data and other nonconsumer data are covered) will have the right to demand that a covered business provide them with a transportable copy of their PI, delete their PI (subject to some retention exceptions), not sell their PI, and provide them with both generic and consumer-specific information about PI collection and sharing. The CCPA will regulate “businesses,” defined as for-profit entities doing business in California (or with Californians not in all respects outside of California) that are the controllers of the data and have gross revenue greater than $25 million; that annually buy, receive for the business’s commercial purposes, sell or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or that derive 50% or more of their annual revenues from the sale of consumers’ personal information. The 50,000 threshold will be quickly met by retailers that accept credit cards or run websites, as each unique card collected and site visitor IP address will count toward that number. Also covered is any affiliate of any such entity that operates under the same brand. There are also obligations and liabilities for certain types of service providers processing data of a regulated business, and for other third parties. The August amendments added a broad exemption for covered entities and business associates under the federal and California health care privacy laws, and an exclusion of PI collected, processed, sold or disclosed pursuant to federal and California laws regulating financial institutions.

A business must track PI collected, and inform consumers, at or before collection, and in any online privacy policy, which of 11 defined categories of PI are collected and the purposes for the collection of each category. It must also limit the use to those purposes absent further advance notice. A business must inform consumers of their rights under the CCPA, and have and honor a Web-based opt-out tool and program that enables consumers to prevent the sale of their PI. A business must not solicit an opt-in for 12 months following an opt-out, and opt-in consent from youths under 16 is required to sell PI, with parental consent required for youths under 13. There must be two or more methods for submitting information requests. The types of information to which a consumer is entitled upon request is detailed and is on a customer-specific basis, though not on a recipient-specific basis. A business cannot require the consumer to create an account, or under ordinary circumstances charge the consumer as a condition of fulfilling a request or obtaining a copy of their PI in a readily usable format. Any consent-related incentives must be disclosed and be on an opt-in-only basis.

A recipient of PI as part of a merger or asset sale may not alter how it uses or shares PI from the ways represented by the original business at the time of collection without first giving the consumer notice of the new or changed practices, and a recipient in a sale of data cannot resell the PI without notice and an opportunity for the consumer to opt out.

A business can be assessed civil penalties of up to $7,500 per violation if it fails to cure the violation within 30 days of notice. There is a narrow private right of action, but it is applicable only to certain data breaches where the business failed to maintain reasonable security procedures and practices, and not privacy violations. The August amendments made this limitation even more clear. The act includes language that should serve to preclude using a violation of CCPA as the basis for a claim under other consumer protection laws, though the class action bar may challenge that.

In recent weeks, industry groups, including the U.S. Chamber of Commerce, the Internet Association and the Interactive Advertising Bureau have called on Congress to pass a more harm-based omnibus federal privacy law that would preempt the CCPA and other state privacy and data security laws.

While businesses that are compliant with the European General Data Protection Regulation (GDPR) will have a head start on those that are not, because they will have completed data mapping and implemented data inventory and processor-management tools and programs, there are material differences between the two schemes.

Alan Friel is a partner at the law firm BakerHostetler and a cochair of its retail industry group. He may be reached at AFriel@BakerLaw.com. The views expressed in this article are those of the authors and not necessarily those of BakerHostetler or its clients.